- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 2 Nov 2012 02:12:45 -0700
- To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
[This thread has nothing to do with ISSUE-28 (already closed).]
Folks, I know almost nothing about the MRC and care even less about
this debate, but it seems obvious from the materials already provided
that:
1) MRC is about auditing the measuring techniques -- it doesn't
sound like it performs any collection itself, nor is it a party
to any protocol interaction relevant to DNT. If it were,
I assume it would treated just like an auditor.
2) The original question was about how long a data controller that
performed measurement (e.g., an advertising network billing function)
would have to retain original source materials for the sake of
complying with an audit. It is not about data collection -- that
is already covered by the permitted use for financial/audit.
The only reason MRC was brought up is because they apparently
have a specific retention requirement of one year, which would
mean that a US company subject to MRC audits needs to retain the
source data for a year regardless of DNT:1, but only to the extent
necessary to support the measurements that it performed that
are already permitted by DNT:1. It is only one potential example
of necessary retention and, IIRC, is already addressed in general
by Nick's proposal for compliance.
3) AFAICT, the suggested questions are about as relevant to the MRC
as it would be to ask the SEC how they purchase stocks.
I have no idea if MRC is a legitimate organization or whether
its data retention requirements have any relevance to DNT
compliance. Since they were only provided as a single point
example and the proposed requirements for compliance are based
on what is necessary for the data collector, not what is
necessary for all data collectors, I simply don't care.
Neither should anyone else. At most, it might make for an
interesting test case for regulators, and they can investigate
such a case based on actual facts rather than suppositions.
I object to wasting any more of our meeting times on this subject.
If people want to do research on MRC, then do it on your own time,
or propose compliance text that would make the research relevant
to us.
....Roy
On Nov 1, 2012, at 11:49 PM, Rob van Eijk wrote:
> Two more questions:
>
> 4/ Is MRC collecting identifiers based on fingerprinting, for example a hash of the user agent.
> 5/ If fingerprinting is used, is it the primary mechanism, or is it a fall back mechanism, when cookies fail/are not present.
>
> Rob
>
> Rigo Wenning schreef op 2012-11-01 23:36:
>> Chris,
>>
>> here is the reminder that you wanted to try to find someone in MRC
>> who could present to the Working Group.
>>
>> I think the best would be to get a set of questions to him/her. A
>> presentation and Q&A session would be done during the TP WG call.
>>
>> I encourage Ed and others to help with the questions. I remember the
>> following:
>>
>> 1/ How does opt-out work with MRC? Is data collection mandatory?
>> 2/ Is MRC collecting identified or identifiable data?
>> 3/ If 2/ is yes, are there plans to change that in the foreseeable
>> future?
>>
>> Chris, feel free to suggest changes if you find the questions too
>> provocative (I find them exploratory as I don't know nothing about
>> MRC).
>>
>> I talked to the chairs and Aleecia also said it is a good idea. So
>> can you help us to make this happen?
>>
>> Rigo
Received on Friday, 2 November 2012 09:13:08 UTC